lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aWWZb3eRfQdB4OsI@mail-itl>
Date: Tue, 13 Jan 2026 02:01:34 +0100
From: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com>
To: Mario Limonciello <mario.limonciello@....com>,
	Yazen Ghannam <yazen.ghannam@....com>
Cc: "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>,
	"open list:AMD NODE DRIVER" <linux-kernel@...r.kernel.org>,
	regressions@...ts.linux.dev
Subject: kernel NULL pointer dereference in
 quirk_clear_strap_no_soft_reset_dev2_f0 -> amd_smn_read

Hi,

I've got a report that kernel 6.17.9 crashes when running a Xen HVM domU
with AMD Raphael/Granite Ridge USB controller passed through.
It worked correctly in 6.12.59. Between those versions, I don't see any
relevant change to quirk_clear_strap_no_soft_reset_dev2_f0() function,
but the AMD node driver did got some changes, so my guess is one of them
is to blame. I know the good-bad range is huge, but there aren't that
many changes to the AMD node driver in this range.

It's running on Qubes OS 4.3, which uses Xen 4.19, and does PCI
passthrough of USB controllers to a dedicated VM (HVM).

The full crash message is:

    [    0.302571] pci 0000:00:08.0: quirk_usb_early_handoff+0x0/0x180 took 16590 usecs
    [    0.303172] BUG: kernel NULL pointer dereference, address: 0000000000000000
    [    0.303189] #PF: supervisor read access in kernel mode
    [    0.303202] #PF: error_code(0x0000) - not-present page
    [    0.303216] PGD 0 P4D 0 
    [    0.303225] Oops: Oops: 0000 [#1] SMP NOPTI
    [    0.303236] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.9-1.qubes.fc41.x86_64 #1 PREEMPT(full) 
    [    0.303258] Hardware name: Xen HVM domU, BIOS 4.19.3 08/26/2025
    [    0.303273] RIP: 0010:__amd_smn_rw+0x30/0x100
    [    0.303288] Code: 05 bd 44 b8 01 66 0f af 05 2d 44 b8 01 41 57 41 56 41 55 41 54 55 53 66 39 c2 0f 83 c0 00 00 00 48 8b 05 c3 61 d7 02 0f b7 d2 <4c> 8b 34 d0 4d 85 f6 0f 84 a9 00 00 00 80 3d a4 61 d7 02 00 0f 84
    [    0.303327] RSP: 0018:ffffcdd30001fd68 EFLAGS: 00010297
    [    0.303341] RAX: 0000000000000000 RBX: ffffcdd30001fdb4 RCX: 0000000010136008
    [    0.303359] RDX: 0000000000000000 RSI: 0000000000000064 RDI: 0000000000000060
    [    0.303377] RBP: ffffffffa684bb80 R08: ffffcdd30001fdb4 R09: 0000000000000000
    [    0.303395] R10: ffffffffa7567420 R11: 0000000000000020 R12: ffff8dd081dff000
    [    0.303413] R13: ffffffffa736ab60 R14: 00000000055ee14a R15: ffff8dd081dff000
    [    0.303434] FS:  0000000000000000(0000) GS:ffff8dd0e87c1000(0000) knlGS:0000000000000000
    [    0.303452] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [    0.303468] CR2: 0000000000000000 CR3: 000000000c62c000 CR4: 0000000000750ef0
    [    0.303487] PKRU: 55555554
    [    0.303495] Call Trace:
    [    0.303504]  <TASK>
    [    0.303513]  ? __pfx_quirk_clear_strap_no_soft_reset_dev2_f0+0x10/0x10
    [    0.304112]  amd_smn_read+0x27/0x50
    [    0.304112]  quirk_clear_strap_no_soft_reset_dev2_f0+0x37/0x80
    [    0.304112]  pci_fixup_device+0xf6/0x1b0
    [    0.304112]  pci_apply_final_quirks+0xe9/0x280
    [    0.304112]  ? __pfx_pci_apply_final_quirks+0x10/0x10
    [    0.304112]  do_one_initcall+0x57/0x310
    [    0.304112]  do_initcalls+0x1ef/0x240
    [    0.304112]  kernel_init_freeable+0x187/0x210
    [    0.304112]  ? __pfx_kernel_init+0x10/0x10
    [    0.304112]  kernel_init+0x1a/0x140
    [    0.304112]  ret_from_fork+0xf2/0x110
    [    0.304112]  ? __pfx_kernel_init+0x10/0x10
    [    0.304112]  ret_from_fork_asm+0x1a/0x30
    [    0.304112]  </TASK>
    [    0.304112] Modules linked in:
    [    0.304112] CR2: 0000000000000000
    [    0.304112] ---[ end trace 0000000000000000 ]---
    [    0.304112] RIP: 0010:__amd_smn_rw+0x30/0x100
    [    0.304112] Code: 05 bd 44 b8 01 66 0f af 05 2d 44 b8 01 41 57 41 56 41 55 41 54 55 53 66 39 c2 0f 83 c0 00 00 00 48 8b 05 c3 61 d7 02 0f b7 d2 <4c> 8b 34 d0 4d 85 f6 0f 84 a9 00 00 00 80 3d a4 61 d7 02 00 0f 84
    [    0.304112] RSP: 0018:ffffcdd30001fd68 EFLAGS: 00010297
    [    0.304112] RAX: 0000000000000000 RBX: ffffcdd30001fdb4 RCX: 0000000010136008
    [    0.304112] RDX: 0000000000000000 RSI: 0000000000000064 RDI: 0000000000000060
    [    0.304112] RBP: ffffffffa684bb80 R08: ffffcdd30001fdb4 R09: 0000000000000000
    [    0.304112] R10: ffffffffa7567420 R11: 0000000000000020 R12: ffff8dd081dff000
    [    0.304112] R13: ffffffffa736ab60 R14: 00000000055ee14a R15: ffff8dd081dff000
    [    0.304112] FS:  0000000000000000(0000) GS:ffff8dd0e87c1000(0000) knlGS:0000000000000000
    [    0.304112] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [    0.304112] CR2: 0000000000000000 CR3: 000000000c62c000 CR4: 0000000000750ef0
    [    0.304112] PKRU: 55555554
    [    0.304112] Kernel panic - not syncing: Fatal exception

The device, as seen from within the VM:

    00:09.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Raphael/Granite Ridge USB 2.0 xHCI [1022:15b8] (prog-if 30 [XHCI])
        Subsystem: ASUSTeK Computer Inc. Device [1043:8877]
        Physical Slot: 9
        Flags: bus master, fast devsel, latency 0, IRQ 21
        Memory at f2200000 (64-bit, non-prefetchable) [size=1M]
        Capabilities: [48] Vendor Specific Information: Len=08 <?>
        Capabilities: [50] Power Management version 3
        Capabilities: [64] Express Endpoint, IntMsgNum 0
        Capabilities: [a0] MSI: Enable- Count=1/1 Maskable- 64bit+
        Capabilities: [c0] MSI-X: Enable+ Count=8 Masked-
        Kernel driver in use: xhci_hcd
        Kernel modules: xhci_pci
    00: 22 10 b8 15 07 04 10 00 00 30 03 0c 10 00 00 00
    10: 04 00 20 f2 00 00 00 00 00 00 00 00 00 00 00 00
    20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 77 88
    30: 00 00 00 00 48 00 00 00 00 00 00 00 2e 01 00 00
    40: 00 00 00 00 00 00 00 00 09 50 08 00 43 10 77 88
    50: 01 64 03 00 08 00 00 00 00 00 00 00 00 00 00 00
    60: 31 60 00 00 10 a0 02 00 a1 8f 00 00 30 29 00 00
    70: 04 0d 40 00 00 00 04 11 00 00 00 00 00 00 00 00
    80: 00 00 00 00 00 00 00 00 1f 00 01 00 00 00 00 00
    90: 1e 00 80 01 04 00 1f 00 00 00 00 00 00 00 00 00
    a0: 05 c0 80 00 00 00 00 00 00 00 00 00 00 00 00 00
    b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    c0: 11 00 07 80 00 e0 0f 00 00 f0 0f 00 00 00 00 00
    d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Any ideas?

Original report at (with full kernel log etc): https://forum.qubes-os.org/t/yet-another-usb-keyboard-thread/38355/8

#regzbot introduced: v6.12.59..v6.17.9

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ